Merge 3.17-rc5 into staging-next.

This fixes a merge conflict in lustre, and we want the other fixes that
went into 3.17-rc5 as well.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge tag 'irqchip-core-3.18' of git://git.infradead.org/users/jcooper/linux into irq/core

irqchip core changes for v3.18

- renesas: suspend to RAM, runtime PM, cleanups and DT binding docs
- key

Merge tag 'irqchip-core-3.18' of git://git.infradead.org/users/jcooper/linux into irq/core

irqchip core changes for v3.18

- renesas: suspend to RAM, runtime PM, cleanups and DT binding docs
- keystone: add new driver
- hip04: add Hisilicon HiP04 driver (without touching irq-gic.c)
- gic: Use defines instead of magic number, preserve v2 bybass bits
- handle_domain_irq: common low level interrupt entry handler

show more ...

Merge remote-tracking branch 'airlied/drm-next' into topic/vblank-rework

Dave asked me to do the backmerge before sending him the revised pull
request, so here we go. Nothing fancy in the conflicts,

Merge remote-tracking branch 'airlied/drm-next' into topic/vblank-rework

Dave asked me to do the backmerge before sending him the revised pull
request, so here we go. Nothing fancy in the conflicts, just a few
things changed right next to each another.

Conflicts:
drivers/gpu/drm/drm_irq.c

Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>

show more ...

Merge tag 'v3.17-rc4' into perf/core, to pick up fixes

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge tag 'v3.17-rc4' into next

Merge Linux 3.17-rc4 here so we have all the latest
fixes on next too. This also cleans up a few conflicts
when applying patches.

Signed-off-by: Felipe Balbi <balbi@

Merge tag 'v3.17-rc4' into next

Merge Linux 3.17-rc4 here so we have all the latest
fixes on next too. This also cleans up a few conflicts
when applying patches.

Signed-off-by: Felipe Balbi <balbi@ti.com>

Conflicts:
drivers/usb/gadget/Makefile
drivers/usb/gadget/function/Makefile
drivers/usb/gadget/legacy/Makefile
drivers/usb/phy/phy-samsung-usb.h

show more ...

Merge tag 'v3.17-rc4' into sched/core, to prevent conflicts with upcoming patches, and to refresh the tree

Linux 3.17-rc4

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Merge tag 'v3.17-rc3' into next

Sync with mainline to bring in Chrome EC changes.

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull key subsystem fixes from James Morris:
"Fixes for the keys subsystem, one of which addresses a

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull key subsystem fixes from James Morris:
"Fixes for the keys subsystem, one of which addresses a use-after-free
bug"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
PEFILE: Relax the check on the length of the PKCS#7 cert
KEYS: Fix use-after-free in assoc_array_gc()
KEYS: Fix public_key asymmetric key subtype name
KEYS: Increase root_maxkeys and root_maxbytes sizes

show more ...

Merge tag 'asoc-v3.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v3.17

A few more driver specific fixes on top of the currently pending fixes

Merge tag 'asoc-v3.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v3.17

A few more driver specific fixes on top of the currently pending fixes
(which are already in your tree but not Linus').

show more ...

PEFILE: Relax the check on the length of the PKCS#7 cert

Relax the check on the length of the PKCS#7 cert as it appears that the PE
file wrapper size gets rounded up to the nearest 8.

The debugging

PEFILE: Relax the check on the length of the PKCS#7 cert

Relax the check on the length of the PKCS#7 cert as it appears that the PE
file wrapper size gets rounded up to the nearest 8.

The debugging output looks like this:

PEFILE: ==> verify_pefile_signature()
PEFILE: ==> pefile_parse_binary()
PEFILE: checksum @ 110
PEFILE: header size = 200
PEFILE: cert = 968 @547be0 [68 09 00 00 00 02 02 00 30 82 09 56 ]
PEFILE: sig wrapper = { 968, 200, 2 }
PEFILE: Signature data not PKCS#7

The wrapper is the first 8 bytes of the hex dump inside []. This indicates a
length of 0x968 bytes, including the wrapper header - so 0x960 bytes of
payload.

The ASN.1 wrapper begins [ ... 30 82 09 56 ]. That indicates an object of size
0x956 - a four byte discrepency, presumably just padding for alignment
purposes.

So we just check that the ASN.1 container is no bigger than the payload and
reduce the recorded size appropriately.

Whilst we're at it, allow shorter PKCS#7 objects that manage to squeeze within
127 or 255 bytes. It's just about conceivable if no X.509 certs are included
in the PKCS#7 message.

Reported-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

show more ...

Merge branch 'linus' into perf/core, to fix conflicts

Conflicts:
arch/x86/kernel/cpu/perf_event_intel_uncore*.c

Signed-off-by: Ingo Molnar <mingo@kernel.org>

Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/urgent

Pull EFI fixes from Matt Fleming:

* WARN_ON(!spin_is_locked()) always triggers on non-SMP machi

Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/urgent

Pull EFI fixes from Matt Fleming:

* WARN_ON(!spin_is_locked()) always triggers on non-SMP machines.
Swap it for the more canonical lockdep_assert_held() which always
does the right thing - Guenter Roeck

* Assign the correct value to efi.runtime_version on arm64 so that all
the runtime services can be invoked - Semen Protsenko

Signed-off-by: Ingo Molnar <mingo@kernel.org>

show more ...

Merge tag 'v3.17-rc1' into patchwork

Linux 3.17-rc1

Merge l2-mtd/next into l2-mtd/master

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
"In this release:

- PKCS#7 parser for the key mana

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
"In this release:

- PKCS#7 parser for the key management subsystem from David Howells
- appoint Kees Cook as seccomp maintainer
- bugfixes and general maintenance across the subsystem"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (94 commits)
X.509: Need to export x509_request_asymmetric_key()
netlabel: shorter names for the NetLabel catmap funcs/structs
netlabel: fix the catmap walking functions
netlabel: fix the horribly broken catmap functions
netlabel: fix a problem when setting bits below the previously lowest bit
PKCS#7: X.509 certificate issuer and subject are mandatory fields in the ASN.1
tpm: simplify code by using %*phN specifier
tpm: Provide a generic means to override the chip returned timeouts
tpm: missing tpm_chip_put in tpm_get_random()
tpm: Properly clean sysfs entries in error path
tpm: Add missing tpm_do_selftest to ST33 I2C driver
PKCS#7: Use x509_request_asymmetric_key()
Revert "selinux: fix the default socket labeling in sock_graft()"
X.509: x509_request_asymmetric_keys() doesn't need string length arguments
PKCS#7: fix sparse non static symbol warning
KEYS: revert encrypted key change
ima: add support for measuring and appraising firmware
firmware_class: perform new LSM checks
security: introduce kernel_fw_from_file hook
PKCS#7: Missing inclusion of linux/err.h
...

show more ...

Merge tag 'keys-next-20140722' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next

Merge tag 'keys-pefile-20140709' into keys-next

Here's a set of changes that implement a PE file signature checker.

This provides the following facility:

(1) Extract the signature from the PE fil

Merge tag 'keys-pefile-20140709' into keys-next

Here's a set of changes that implement a PE file signature checker.

This provides the following facility:

(1) Extract the signature from the PE file. This is a PKCS#7 message
containing, as its data, a hash of the signed parts of the file.

(2) Digest the signed parts of the file.

(3) Compare the digest with the one from the PKCS#7 message.

(4) Validate the signatures on the PKCS#7 message and indicate
whether it was matched by a trusted key.

Signed-off-by: David Howells <dhowells@redhat.com>

show more ...

pefile: Validate PKCS#7 trust chain

Validate the PKCS#7 trust chain against the contents of the system keyring.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redh

pefile: Validate PKCS#7 trust chain

Validate the PKCS#7 trust chain against the contents of the system keyring.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>

show more ...

pefile: Digest the PE binary and compare to the PKCS#7 data

Digest the signed parts of the PE binary, canonicalising the section table
before we need it, and then compare the the resulting digest to

pefile: Digest the PE binary and compare to the PKCS#7 data

Digest the signed parts of the PE binary, canonicalising the section table
before we need it, and then compare the the resulting digest to the one in the
PKCS#7 signed content.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

show more ...

pefile: Parse the "Microsoft individual code signing" data blob

The PKCS#7 certificate should contain a "Microsoft individual code signing"
data blob as its signed content. This blob contains a dig

pefile: Parse the "Microsoft individual code signing" data blob

The PKCS#7 certificate should contain a "Microsoft individual code signing"
data blob as its signed content. This blob contains a digest of the signed
content of the PE binary and the OID of the digest algorithm used (typically
SHA256).

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

show more ...

pefile: Parse the presumed PKCS#7 content of the certificate blob

Parse the content of the certificate blob, presuming it to be PKCS#7 format.

Signed-off-by: David Howells <dhowells@redhat.com>
Ack

pefile: Parse the presumed PKCS#7 content of the certificate blob

Parse the content of the certificate blob, presuming it to be PKCS#7 format.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

show more ...

pefile: Strip the wrapper off of the cert data block

The certificate data block in a PE binary has a wrapper around the PKCS#7
signature we actually want to get at. Strip this off and check that we

pefile: Strip the wrapper off of the cert data block

The certificate data block in a PE binary has a wrapper around the PKCS#7
signature we actually want to get at. Strip this off and check that we've got
something that appears to be a PKCS#7 signature.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

show more ...

pefile: Parse a PE binary to find a key and a signature contained therein

Parse a PE binary to find a key and a signature contained therein. Later
patches will check the signature and add the key i

pefile: Parse a PE binary to find a key and a signature contained therein

Parse a PE binary to find a key and a signature contained therein. Later
patches will check the signature and add the key if the signature checks out.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

show more ...